Menu

Authorizing the Google Cloud SDK

Deploy > Authorizing the Google Cloud SDK

This document explains how to install and authorize the Google Cloud SDK in your primary container.

Overview

The Google Cloud SDK is a powerful set of tools that can be used to access Google Cloud Platform (GCP) services like Google Compute Engine and Google Kubernetes Engine. On CircleCI, the Google Cloud SDK is recommended to deploy your application to GCP products.

Prerequisites

  • A CircleCI 2.0 project.
  • A GCP project.

Steps

Installing the Google Cloud SDK

If Debian is an acceptable operating system for your primary container, consider using Google’s base Docker image. You can find this image on DockerHub as google/cloud-sdk.

Otherwise, follow the Google Cloud SDK installation instructions for your base image’s operating system.

Creating and Storing a Service Account

Before you can use any tools in the Google Cloud SDK, you must authorize gcloud. Google offers two types of authorization: user accounts and service accounts. Because you are installing the Cloud SDK on CircleCI, the service account is the appropriate choice.

  1. Create a service account by following Steps 1-3 of Google’s instructions. Remember to download the JSON-formatted key file.

  2. Add the key file to CircleCI as a project environment variable. In this example, the variable is named GCLOUD_SERVICE_KEY. Using this particular name is not required, but it will be used throughout the examples in this document.

  3. For convenience, add three more environment variables to your CircleCI project:

    • GOOGLE_PROJECT_ID: the ID of your GCP project.
    • GOOGLE_COMPUTE_ZONE: the default compute zone.
    • GOOGLE_CLUSTER_NAME: the target cluster for all deployments.

Authenticating to Google Container Registry

Depending on the base Docker image you chose, you may have to authenticate to the Google Container Registry.

If you are using Google’s public image (google/cloud-sdk), no authentication is needed.

version: 2
jobs:
  deploy:
    docker:
      - image: google/cloud-sdk

If you are using a custom image, you must authenticate to GCR. Use the auth key to specify credentials.

version: 2
jobs:
  deploy:
    docker:
      - image: gcr.io/project/<image-name>
        auth:
          username: _json_key  # default username when using a JSON key file to authenticate
          password: $GCLOUD_SERVICE_KEY  # JSON service account you created

Copying the Service Account to a Local File

Before you can authorize the SDK, you must copy the service account variable to a local file.

version: 2
jobs:
  deploy:
    docker:
      - image: google/cloud-sdk
    steps:
      - run:
          name: Store Service Account
          command: echo $GCLOUD_SERVICE_KEY > ${HOME}/gcloud-service-key.json

Note: To use certain services (like Google Cloud Datastore), you will also need to set the CircleCI $GOOGLE_APPLICATION_CREDENTIALS environment variable to ${HOME}/gcloud-service-key.json.

Authorizing the Google Cloud SDK

Use gcloud to authorize the Google Cloud SDK and set several default settings.

version: 2
jobs:
  deploy:
    docker:
      - image: google/cloud-sdk
    steps:
      - run:
          name: Store Service Account
          command: echo $GCLOUD_SERVICE_KEY > ${HOME}/gcloud-service-key.json
      - run: |
          sudo gcloud auth activate-service-account --key-file=${HOME}/gcloud-service-key.json
          sudo gcloud --quiet config set project ${GOOGLE_PROJECT_ID}
          sudo gcloud --quiet config set compute/zone ${GOOGLE_COMPUTE_ZONE}
          sudo gcloud --quiet container clusters get-credentials ${GOOGLE_CLUSTER_NAME}

Note: If you are using a custom base image, ensure that you have the most recent components by adding the following command before authorizing the SDK.

sudo gcloud --quiet components update